fix(core-rpc): demote timeout unhandled-rejections + classify in client (#REACT-15+)

[oxoxDev]

Summary

• Promote local 30 s AbortController RPC timeout from bare Error → CoreRpcError(kind='timeout') so callers, Sentry filters, and future telemetry can branch on a stable kind instead of regex-matching messages.
• Add 'timeout' precedence to classifyRpcError so the local-ceiling shape wins over the broader transport arm (mirrors PR fix(observability): demote loopback sidecar-down noise to expected (#R5 #R6) #2063 loopback-vs-transport).
• Stop the OPENHUMAN-REACT-15/11/10/12/Z/Y unhandled-rejection family at the three settings panels (TeamPanel, TeamInvitesPanel, TeamMembersPanel) and two CoreStateProvider write paths (updateLocalState, storeSessionToken).
• Last-line-of-defense beforeSend filter in analytics.ts drops any future CoreRpcError(kind='timeout') that slips past a missing .catch().

Problem

Eight Sentry issues (~18 events, 18 unique users) all triggered via auto.browser.global_handlers.onunhandledrejection:

ID	Surface	Method
OPENHUMAN-REACT-15 / 11	TeamPanel.tsx:31 → CoreStateProvider:listTeams	openhuman.team_list_teams
OPENHUMAN-REACT-10	TeamMembersPanel:44	openhuman.team_list_members
OPENHUMAN-REACT-12	TeamInvitesPanel:37	openhuman.team_list_invites
OPENHUMAN-REACT-13 / 14	Backend chain	GET /teams[/members] 504 / connect timeout
OPENHUMAN-REACT-Z / Y	Post-write refresh	openhuman.app_state_snapshot

All hit the 30 s CORE_RPC_TIMEOUT_MS ceiling (REACT-Z/Y arrived as bare Error: because coreRpcClient.ts:381 threw new Error(...) not CoreRpcError). Each call site fired the RPC as void promise(...) or void promise.finally(...) inside a useEffect, so the rejection bubbled to window.onunhandledrejection → Sentry capture.

Sister to PR #2063 (Rust-side loopback classifier) — same family of "transient infra noise the user already retries past" promoted out of the error surface.

Solution

Layer A — Classifier (coreRpcClient.ts)

• Add 'timeout' to CoreRpcErrorKind.
• classifyRpcError now checks /timed out after \d+ms/i BEFORE the generic transport arm.
• AbortController throw site (line 381) throws CoreRpcError(msg, 'timeout') instead of a bare Error — kills the REACT-Z/Y bare-Error: shape.

Layer B — Call-site .catch() (TeamPanel, TeamInvitesPanel, TeamMembersPanel, CoreStateProvider)

• Each panel's mount-effect void refresh*(...) is replaced with a .catch(err => log(...)) that demotes to a core-rpc:error breadcrumb.
• CoreStateProvider.updateLocalState and storeSessionToken now .catch() their follow-up refresh() — the polling loop reconciles within POLL_MS, so a transient app_state_snapshot timeout no longer escapes as an unhandled rejection.

Layer C — Sentry beforeSend filter (analytics.ts)

• Inspects hint.originalException and drops the event when it is a CoreRpcError (or duck-typed cross-realm equivalent) with kind === 'timeout'. Non-timeout kinds (transport, auth_expired, rate_limited, budget_exceeded, thread_not_found) still surface.

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage ≥ 80% — new logic is covered: classifier precedence + verbatim REACT-15/11/10/12/Z/Y message bodies + REACT-13 transport-stays-transport guard + AbortController throws CoreRpcError(kind='timeout') + Sentry beforeSend drops timeout / preserves non-timeout / cross-realm match. pnpm debug unit coreRpcClient (75/75) + pnpm debug unit analytics (27/27) + pnpm debug unit CoreStateProvider (22/22) all green.
• N/A: Coverage matrix updated — behaviour-only change (classifier kind variant + call-site guards); no new feature row in docs/TEST-COVERAGE-MATRIX.md.
• N/A: All affected feature IDs listed in ## Related — no matrix-tracked feature IDs touched; the Sentry IDs are listed below instead.
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• N/A: Manual smoke checklist updated — no release-cut surfaces touched (docs/RELEASE-MANUAL-SMOKE.md covers UI surface, not classifier internals).
• N/A: Closes #NNN for a GH issue — this is a Sentry-only PR (mirrors PRs fix(observability): drop 401 session-expired Sentry noise (#25, #1Q, #27, #1G) #1719, fix(observability): close 3 transient-failure leak paths in Sentry classifier (#1608) #1798, fix(observability): demote loopback sidecar-down noise to expected (#R5 #R6) #2063). Sentry IDs listed under ## Related.

Impact

• Runtime/platform: Desktop (Tauri) and web — pure frontend change inside app/src/services/ + app/src/providers/ + three settings panels. No native shell, no Rust core change.
• Performance: One extra regex test per RPC classification (negligible). One extra instanceof + duck-type check per Sentry event (negligible).
• Security/PII: None. New log lines route through the existing sanitizeError helper. The beforeSend filter narrows what is sent, never broadens.
• Migration / compat: CoreRpcErrorKind adds a variant; consumers that switch on it must handle the new arm — none in this repo do today (all consumers use string equality on specific known kinds). No breaking export shape change.
• Telemetry: Expect REACT-15/11/10/12/Z/Y event counts to drop to ~0 within one release cycle; REACT-13/14 (backend-side client error (Connect)) still surface as transport — those are real backend issues, not local noise.

Related

Closes OPENHUMAN-REACT-15
Closes OPENHUMAN-REACT-11
Closes OPENHUMAN-REACT-10
Closes OPENHUMAN-REACT-12
Closes OPENHUMAN-REACT-13
Closes OPENHUMAN-REACT-14
Closes OPENHUMAN-REACT-Z
Closes OPENHUMAN-REACT-Y

Sister PR: #2063 (Rust-side loopback classifier — same family, Rust core surface).

• Closes: (Sentry IDs above — no linked GitHub issue)
• Follow-up PR(s)/TODOs: Optional hardening of other await callCoreRpc(...) consumers (coreCommandClient, coreHealthMonitor, webviewAccountService, memorySyncService, notificationService, chatService, meetCallService, walletApi, daemonHealthService, backendUrl) if their Sentry IDs surface — deliberately out of scope here.

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A — Sentry-only triage (no Linear ticket)
• URL: N/A

Commit & Branch

• Branch: fix/sentry-corerpc-unhandled-rejection
• Commit SHA: c6c966f7 (tip at push time)

Validation Run

• pnpm --filter openhuman-app format:check
• pnpm typecheck
• Focused tests: pnpm debug unit coreRpcClient (75 pass), pnpm debug unit analytics (27 pass), pnpm debug unit CoreStateProvider (22 pass)
• N/A: Rust fmt/check (no Rust changes in this PR)
• N/A: Tauri fmt/check (no Tauri shell changes in this PR)

Validation Blocked

• command: N/A
• error: N/A
• impact: N/A — pre-push pnpm rust:check initially failed because the tauri-cef / tauri-plugin-notification vendored submodules were not yet initialized in this fresh worktree; resolved by running git submodule update --init --recursive and pushed cleanly (no --no-verify).

Behavior Changes

• Intended behavior change: Local AbortController RPC timeouts are now silent at the user-facing layer (logged breadcrumb only) and dropped by Sentry's beforeSend filter. Other error kinds (transport, auth_expired, …) are unaffected.
• User-visible effect: None for happy-path users. Users who previously hit a 30 s cold-boot timeout on /settings/teams no longer see a Sentry-reported crash — the panel quietly waits for the next poll tick / user retry.

Parity Contract

• Legacy behavior preserved: All existing classifyRpcError mappings unchanged. All non-timeout CoreRpcError kinds still surface to Sentry. The pre-existing transport arm still matches every body it matched before (the new timeout arm matches a strict subset).
• Guard/fallback/dispatch parity checks: Existing "throws CoreRpcError with kind=transport on network error" test still passes; existing "AbortController throws with timeout-shaped message" test extended to also assert the CoreRpcError instance + kind.

Duplicate / Superseded PR Handling

• Duplicate PR(s): None — FE side of the Sentry-noise family is currently unaddressed.
• Canonical PR: This PR.
• Resolution: N/A

Summary by CodeRabbit

• Bug Fixes

  • Improved error handling and logging for failed team, member, and invite refreshes (swallowing and logging refresh failures to avoid unhandled rejections)
  • Enhanced RPC timeout error detection and classification (new timeout kind)
  • Prevented unhandled promise rejections during bootstrap and local-state/session updates
  • Reduced error monitoring noise by filtering timeout errors from Sentry

• Tests

  • Added regression tests covering RPC timeout classification, Sentry filtering, and unhandled-rejection guards during data loads and provider refreshes

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3efe24b6-9723-4287-b47f-8d8c31fb2c40

📥 Commits

Reviewing files that changed from the base of the PR and between c6c966f and d70abbc.

📒 Files selected for processing (4)

• app/src/components/settings/panels/__tests__/TeamInvitesPanel.test.tsx
• app/src/components/settings/panels/__tests__/TeamMembersPanel.test.tsx
• app/src/components/settings/panels/__tests__/TeamPanel.test.tsx
• app/src/providers/__tests__/CoreStateProvider.test.tsx

---

📝 Walkthrough

Walkthrough

Adds a typed 'timeout' RPC error kind, classifies/throws timeouts from coreRpcClient, filters timeout errors from Sentry beforeSend, and wraps UI/provider refresh calls to catch and log refresh failures; tests verify classification, Sentry filtering, and no unhandled rejections.

Changes

Timeout Error Classification and Filtering

Layer / File(s)	Summary
Core RPC timeout classification app/src/services/coreRpcClient.ts	CoreRpcErrorKind adds 'timeout'. classifyRpcError matches "timed out after ms" and returns 'timeout' before other matches. callCoreRpc throws CoreRpcError(kind: 'timeout') when the AbortController timeout fires.
Core RPC timeout test coverage app/src/services/__tests__/coreRpcClient.test.ts	Tests capture rejected CoreRpcError with kind: 'timeout' and assert timeout message formatting; table-driven classifyRpcError tests include timed-out messages and precedence cases.
Sentry timeout error filtering app/src/services/analytics.ts	Imports CoreRpcError; adds isCoreRpcTimeoutError(err) (instanceof + duck-typed {name,kind}); updates Sentry beforeSend(event, hint) to drop events when the originalException is a Core RPC timeout.
Sentry timeout filtering test coverage app/src/services/__tests__/analytics.test.ts	Mock config adds CORE_RPC_URL and CORE_RPC_TIMEOUT_MS; captureBeforeSend updated to accept hint.originalException; tests ensure timeout errors (including cross-realm shapes) are dropped and non-timeout CoreRpcError shapes are allowed.
Settings panel refresh error handling app/src/components/settings/panels/TeamInvitesPanel.tsx, TeamMembersPanel.tsx, TeamPanel.tsx	Panels add debug logger and sanitizeError; refresh promise chains now include .catch(...) that logs sanitized errors and retain .finally(...) to clear loading state. TeamPanel logs CoreRpcError kind when available.
Provider refresh error handling app/src/providers/CoreStateProvider.tsx	After updateLocalState and after storing session token, provider invokes refresh().catch(...) to log sanitized errors and avoid propagating refresh failures as unhandled rejections.
UI unhandled-rejection regression tests app/src/components/settings/panels/__tests__/*, app/src/providers/__tests__/CoreStateProvider.test.tsx	New Vitest tests install window.unhandledrejection listeners and assert that panel and provider flows swallow refresh rejections (timeouts/transport) rather than surfacing unhandled promise rejections.

Sequence Diagram

sequenceDiagram
  participant Client
  participant callCoreRpc
  participant AbortController
  participant classifyRpcError
  participant Analytics_beforeSend

  Client->>callCoreRpc: invoke RPC method
  callCoreRpc->>AbortController: start timeout timer
  AbortController->>callCoreRpc: abort on CORE_RPC_TIMEOUT_MS
  callCoreRpc->>callCoreRpc: throw CoreRpcError(kind: 'timeout', message: 'Core RPC <method> timed out after Nms')
  callCoreRpc->>classifyRpcError: classify error message
  classifyRpcError->>classifyRpcError: return 'timeout'
  callCoreRpc->>Analytics_beforeSend: error reaches Sentry hook (hint.originalException)
  Analytics_beforeSend->>Analytics_beforeSend: isCoreRpcTimeoutError(hint.originalException) => true
  Analytics_beforeSend->>Analytics_beforeSend: drop event (return null)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• tinyhumansai/openhuman#2167: Modifies CoreStateProvider bootstrap/polling refresh error handling and debug logging at similar control-flow points.

Suggested reviewers

• senamakel
• graycyrus

Poem

A rabbit logs a timeout's sigh,
It classifies and gently ties.
Panels catch what used to flee,
Sentry sleeps—no noisy plea.
Hops of code, safe and spry. 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main changes: fixing timeout unhandled-rejections and adding a timeout classification in the RPC client, matching the PR's core objective of reducing Sentry noise from 30s RPC timeouts.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[graycyrus]

Review — graycyrus

Clean PR. Well-structured, layered fix for the REACT-15/11/10/12/Z/Y Sentry unhandled-rejection family.

Walkthrough

This PR adds a 'timeout' kind to CoreRpcErrorKind, promotes the AbortController throw site from bare Error to CoreRpcError(kind='timeout'), and wires .catch() guards at all five leaking call sites (three team settings panels + two CoreStateProvider write paths). A beforeSend filter in analytics.ts acts as a last-line-of-defense to drop any future timeout that slips past a missing .catch(). Test coverage is thorough — each Sentry issue ID gets explicit regression coverage.

Change Summary

File	Change	Notes
coreRpcClient.ts	Add 'timeout' kind + classifier arm + throw CoreRpcError on abort	Correct ordering before generic transport arm
analytics.ts	isCoreRpcTimeoutError + beforeSend filter	Cross-realm duck-typing is a nice touch
TeamPanel.tsx	try/catch in refreshTeamsWithLoading + defensive .catch() in useEffect	Belt-and-suspenders approach is warranted here
TeamInvitesPanel.tsx	.catch().finally() chain	Clean fix
TeamMembersPanel.tsx	.catch().finally() chain	Clean fix
CoreStateProvider.tsx	.catch() on refresh() in updateLocalState + storeSessionToken	Polling loop reconciles — correct call
6 test files	Regression tests for all Sentry IDs	unhandledrejection listener approach is solid

Notes

• Classifier precedence is correct: /timed out after \d+ms/i (local AbortController shape) fires before the generic /timed out/ in the transport arm. The existing 'operation timed out after 30s' backend shape correctly stays as transport since it lacks the ms suffix.
• The as never casts in test mocks are fine — standard Vitest partial-mock pattern.
• No security, PII, or breaking-change concerns. The new CoreRpcErrorKind variant is additive and no consumers currently switch exhaustively on it.

Nice work cleaning up this Sentry noise systematically. LGTM.